Project

General

Profile

bug #7833

submitters can access see any registration in any RegistrationWorkingSet

Added by Andreas Kohlbecker 3 months ago. Updated 16 days ago.

Status:
Closed
Priority:
New
Assignee:
Andreas Kohlbecker
Category:
cdm-vaadin
Target version:
Release 5.5
Start date:
10/17/2018
Due date:
% Done:

100%

Severity:
normal
Found in Version:
Tags:
security phycobank

Description

Submitters can access any RegistrationWorkingSet where the registrations are all visible.
Registrations where the submitter is not the Registration.submitter should be hidden though.

The submitter can search for the reference via the "New Registration" view where existing publications can be selected.
. Clicking on "Continue" will get the submitter to the according RegistrationWorkingSetView where unpublished registrations can be visible. Seeing unpublished Registrations is ok as far as the publication has been published in the past!

Conclusion:

  1. Unpublished references must be hidden from the select in the "New Registration"
  2. RegistrationWorkingSet Unpublished references must only be accessible for submitters which have UPDATE permission | which are the creator ?? for this Reference.

Related issues

Precedes Edit - feature request #7968: ReferenceEditor: optional validation for completenes of Partial values in datePublished New 10/18/2018 10/18/2018

Associated revisions

Revision b32150b1 (diff)
Added by Andreas Kohlbecker about 1 month ago

ref #7833 restricting access to RegistrationWorkingsetView:
- AccessRestrictedViewControlBean to evaluate AccessRestrictedView.isAccessDenied()
- refactoring AccessRestrictedView class hierarchy

Revision d81bb53b (diff)
Added by Andreas Kohlbecker about 1 month ago

ref #7833 fixing inversly interpreted access denied

Revision 35a51c01 (diff)
Added by Andreas Kohlbecker about 1 month ago

ref #7833 registration start view only shows references for which the user has permissions

Revision 99741bc0 (diff)
Added by Andreas Kohlbecker about 1 month ago

ref #7833 registration start view excludes unpublished references

Revision 68369e5d (diff)
Added by Andreas Kohlbecker about 1 month ago

ref #7833 another method for UserHelper to scan for permissions

Revision 9e57572e (diff)
Added by Andreas Kohlbecker 17 days ago

ref #7833 fixing null-view bug

Revision 51cc6f53 (diff)
Added by Andreas Kohlbecker 17 days ago

ref #7833 permission checking in RegistrationWorkingSetService

Revision 943dcf96 (diff)
Added by Andreas Kohlbecker 17 days ago

ref #7833 adding missing check for anonymous authentication tokens to CdmUserHelper

History

#1 Updated by Wolf-Henning Kusber 2 months ago

RegistrationWorkingSet Unpublished references must only be accessible for submitters which have UPDATE permission | which are the creator ?? for this Reference.

Comment: Yes, if the publication is unpublished = a new workingset for new names and types.
Problem: published references of basionyms or replacement names or even old species epithets, needet for an infraspecific epithet. If those are needed for other new registrations they might be necessary.

#2 Updated by Andreas Kohlbecker about 1 month ago

  • Status changed from New to Feedback
  • Assignee changed from Andreas Kohlbecker to Wolf-Henning Kusber

Hallo Henning,

ich denke dieses Ticket sollten wir unbedingt noch lösen bevor wir externe Submitter zulassen.

Also highest und noch in diesem Release?

Andreas

#3 Updated by Wolf-Henning Kusber about 1 month ago

  • Assignee changed from Wolf-Henning Kusber to Andreas Kohlbecker

Unpublished references must be hidden from the select in the "New Registration" makes sense.
Question (2): creator = person or working set submitter?
A content issue: An author might work on a second unpublished article on names of a first unpublished article.

#4 Updated by Andreas Kohlbecker about 1 month ago

  • Assignee changed from Andreas Kohlbecker to Wolf-Henning Kusber

Wolf-Henning Kusber wrote:

Unpublished references must be hidden from the select in the "New Registration" makes sense.
Question (2): creator = person or working set submitter?

This is the workingset submitter-

A content issue: An author might work on a second unpublished article on names of a first unpublished article.

This should not be a problem since both references are unpublished but accessible for the submitter.

#5 Updated by Andreas Kohlbecker about 1 month ago

Issue solved, please review.

#6 Updated by Andreas Kohlbecker about 1 month ago

  • Precedes feature request #7968: ReferenceEditor: optional validation for completenes of Partial values in datePublished added

#7 Updated by Wolf-Henning Kusber about 1 month ago

  • Assignee changed from Wolf-Henning Kusber to Andreas Kohlbecker

Submitter can currently view/update unpublished references and datasets entered by the curator or a.

#8 Updated by Andreas Kohlbecker 17 days ago

  • Status changed from Feedback to Resolved
  • Assignee changed from Andreas Kohlbecker to Wolf-Henning Kusber
  • % Done changed from 0 to 60

Wolf-Henning Kusber wrote:

Submitter can currently view/update unpublished references and datasets entered by the curator or a.

This issue is solved now, please test again.

#9 Updated by Wolf-Henning Kusber 16 days ago

  • Assignee changed from Wolf-Henning Kusber to Andreas Kohlbecker
  • % Done changed from 60 to 100

Review: Submitter cannot see entries of other submitters. Security problem solved.

#10 Updated by Andreas Kohlbecker 16 days ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)